HackTheBox - Editorial

00:00 - Introduction
00:47 - Start of nmap
02:00 - Discovering the webserver is likely running Flask
03:30 - Discovering a SSRF in the request to publish books, showing we could leak the servers IPv6 Address but its not too useful here
07:30 - Using FFUF to fuzz all open ports on localhost to discover port 5000 is open which is an API Server
11:25 - Looking at the messages endpoint, which discloses a password for dev which we can SSH With
17:10 - Discovering a git directory, searching git commits for the word prod and getting another password
19:40 - The Prod user can run a python script which is using the python git library, which has an RCE CVE. We can use the Shell Extension in the URL to execute code